Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.

We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world.

For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available.

We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. Another recent project is Centralized Logging. We will continue investing into these directions.

What are the problems FreeIPA is trying to solve?

Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions

Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.

Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.

What are the values behind the FreeIPA project?

Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.

Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.

Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.

Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.

What are the recommendations for FreeIPA deployment?

Why is a FreeIPA client not backwards compatible?

When will we implement FreeIPA to FreeIPA trusts?

This is a feature in development (tracked in ticket 4867). FreeIPA to FreeIPA trusts can be implemented right after we complete the second leg of the Active Directory Trusts, i.e. Active Directory trusting FreeIPA users to access it's resources or log in. FreeIPA to FreeIPA trusts will leverage the same interfaces (Global Catalog, which is tracked in ticket 3125.

Until the feature is implemented, it would be technically possible to create a Kerberos-only trust between two IPA realms in FreeIPA 4.2+, but this is not supported with any native interface yet. There is a hacky procedure described in Red Hat Bugzilla 1035494 or ticket 4059. Such trust would have no support from IPA tools and no ability to resolve users, groups, support HBAC rules, sudo, etc. One could add additional SSSD domains on IPA clients to represent other realms but this is not tested by upstream and majority of features will may not work in the intended ways.

It is important to understand, that Kerberos trust is only about authentication. Authorization decisions are application-specific and mapping of Kerberos-authenticated identities to POSIX application-visible identities has to happen somewhere (this is part missing). Additionally, enforcement of IPA-specific rules (RBAC or HBAC) is not ready for FreeIPA to FreeIPA trust yet.

We welcome any help with these engineering efforts! See Contribute page for ways how to contact us.

Active Directory deprecated Identity Management for Unix (IDMU), what should I do?

With Windows Server 2012 R2, Microsoft announced the deprecation of the Identity Management for Unix (IDMU) and NIS Server role which will not be included starting with Windows Server 2016 Technical Preview (more information on TechNet Blog).

This means that there will no longer be a UI to set POSIX attributes for Active Directory users. Such users will no longer be able to authenticate to FreeIPA clients, if FreeIPA ID Range is not configured to automatically generate UID and GID for the AD users.

There are multiple options how to solve this issue on the FreeIPA side:

Generate POSIX attributes (especially UID, GID) automatically for AD users, based on their RID (recommended, especially for green field deployments)